Two recent interactions – one business meeting and one personal conversation – prompted me to write this piece.  Both these experiences, coupled with experiences over the last few years, drove me to these conclusions:

  1. People don’t see cybersecurity as a problem they are responsible for; and
  2. People just don’t care about cybersecurity.

While these conclusions are upsetting, I find them both valuable as well.  They have value because they can serve as starting points to explain why you are responsible for your behavior online and why you should care about cybersecurity.

In both interactions, I had respective “flash point” moments where I thought to myself, “Houston, we have a problem.”  Here’s how the interactions unfolded.

During the business meeting – which started as more of a “how do we keep the lights on during a crisis” conversation – the discussion shifted to cybersecurity.  One participant said, “But cybersecurity is such a specific issue.  Should all these senior executives really focus their attention on this niche problem?”

I felt like we just lost the main thruster.

This comment prompted me to take the conversation back to basics (feel free to check out last year’s blog post on the basics).

Disclaimer: I consider the person who said this comment very knowledgeable and bright, so this wasn’t a case of ignorance or dismissiveness.  Furthermore, the others in the room tended to agree with the person who made the comment, so my “aha!” moment came when I realized we have a fundamental problem: our common understanding of cybersecurity is inherently incomplete and flawed.

So I went back to the basics and began to outline how cybersecurity and all related issues, like data integrity and information warfare, are not niche issues for an organization.  In fact, they are core business issues which, if mismanaged, can force your business to close shop overnight.   Really, EVERYTHING we do today relies on some sort of network or data communications system.  This is not niche.  This is the furthest thing away from niche.

By explaining to the participants in the room – in the absolute simplest possible way – what “cybersecurity” touches in any organization, if nothing else, I felt like they walked away with a sense of “maybe we need to think about this differently.”

One small step for a better understanding of cybersecurity, one giant leap for protecting your organization.

The second interaction arose during a quick catch up with a friend who – generically speaking – works in an industry we rely on every single day. My friend said to me, “Yeah, these audit and IT people drive me nuts.  I don’t really care about protecting the information.  I’m a marketer.  That’s their job, not mine.”

The hyperdrive on the Millennium Falcon just went clunk and R2-D2 is nowhere in sight to help get us back to light speed.

With no disrespect to my friend –— we have been conditioned to think our devices are safe because of anti-virus, firewalls, monitoring software, and name your latest piece of software garbage that promises you the path to cybersecurity paradise.

A car with every single safety feature possible still has one basic requirement to ensure safety: a driver who drives safely!

Our devices – really, there’s no difference between “desktop” and “tablet” and “smartphone” anymore, they’re all powerful computers – are little ticking data time bombs that, at best, may only hurt us personally if they go off, and at worst, take out some of the people and organizations we care about most (or rely on for a paycheck).

If you have been following my posts and other writings, you’ll know that I’m a fan – a big fan – of segregating your devices and accounts for specific tasks.

Does this have a greater upfront cost?  Yes.  Does this mean I lose some functionality capabilities?  Yes.  Does this mean I may have to carry three devices instead of one while traveling?  Yes.  But you know what else this does?  It allows me to quickly triage and deal with a problem if it arises.

Sometimes people hand me their phones to show me something and I can’t resist; I need to look at the taskbar to catch a quick glimpse of all the services running and radios that are on or broadcasting.  My inner voice most often wants to yell out “why don’t you just paint yourself neon green, start yelling at the top of your lungs, and leave a trail of bread crumbs while you’re at it!”

In a digital sense, that’s what most of us are doing.  Somewhere, somebody had the bright idea to monetize data collection in exchange for convenience.  That worked great for a while, except all these conveniences are coming back to bite us in the behind … meaning people are trying to make money on bite prevention therapy.

Perhaps I live with a tad more simplicity.  Instead of trying the latest and greatest mosquito repellent at each and every turn (because short of walking through the path with a flamethrower turned to 11, I’m still likely to get a bite or two), maybe I just avoid mosquito infested paths if I really don’t need to walk through them.

Yes, having a Facebook app on your “phone” (aka computer in your pocket) – which you use for business e-mail and personal banking and calling your mom and taking pictures of food that has enough embedded metadata tags to allow you never to forget where you have eaten every meal for the last six years – may be fun and convenient for you, but understand what you could be giving up and respect the costs that those data leaks could cost you and the organization that employs you.

This is why cybersecurity is everybody’s problem.  It’s not a niche issue.  Yes, people are becoming more aware of cybersecurity problems, but they do not really understand them.  I have friends who occasionally forward me “cybersecurity stuff” (which I appreciate) but it’s all the same vendor garbage.  People toss around words like “continuity” and “resilience” and similar jargon, which convinces me more and more of what Nassim Nicholas Taleb – somebody who really understands risk – says: there are a lot of charlatans out there trying to make a quick buck on the latest fad.

And just like Taleb is a fan of localism, I’m a fan of localism as it relates to cybersecurity.  Don’t expect some IT nerd in some far off department to protect your data.  Don’t believe vendors who put their interests (taking your money) ahead of yours (protecting your data).  You protect it.  Yourself.  It’s better for you.  It’s better for everybody.  Be responsible for your own affairs.  It’s a type of change in thinking that could make a meaningful cybersecurity impact.

 

By George Platsis, SDI Cyber Risk Practice

June 5, 2018